b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                     Effectiveness of Access Controls Over\n                      System Administrator User Accounts\n                               Can Be Improved\n\n\n\n                                      September 19, 2007\n\n                              Reference Number: 2007-20-161\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 19, 2007\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Effectiveness of Access Controls Over System\n                             Administrator User Accounts Can Be Improved (Audit # 200620032)\n\n This report presents the results of our review of the effectiveness of access controls over system\n administrator user accounts on Internal Revenue Service (IRS) computers. This review was\n included in the Treasury Inspector General for Tax Administration Fiscal Year 2006 Annual\n Audit Plan and was part of the Information Systems Programs unit\xe2\x80\x99s statutory requirements to\n annually review the adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n To perform their job responsibilities, system administrators must be given total control over\n computer systems. Due to the sensitive nature of the system administrator position, the IRS must\n have proper controls in place to ensure only appropriate employees have administrator rights and\n privileges, administrator user accounts are reviewed annually for continued business need, their\n user accounts are protected with strong passwords, and their actions on computer systems are\n monitored for questionable activities. However, administrator user accounts were not always\n authorized and maintained properly, and administrator activities were not consistently reviewed\n and documented. Weak controls over user accounts could allow unauthorized individuals to gain\n access to these accounts, which could lead to unauthorized disclosure of taxpayer data and\n disruptions of service affecting work productivity and revenue collection.\n\n Synopsis\n The IRS has over 260 computer system applications to process tax records for\n 130 million taxpayers and to support and assist its employees in administering the nation\xe2\x80\x99s tax\n system. To properly carry out their duties and protect data in systems considered sensitive,\n\x0c                     Effectiveness of Access Controls Over System Administrator\n                                   User Accounts Can Be Improved\n\n\n\nsystem administrators are normally granted full control over computer systems, in effect\nproviding them unrestricted access and authority over the systems.\nWhile the IRS has established appropriate procedures for authorizing and maintaining\nadministrator user accounts as well as procedures to review their user account activities for\nimproprieties, we identified the following problems. These weaknesses occurred because\nmanagers and system administrators did not adhere to procedures.\nFirst, the IRS is not approving and maintaining proper documentation for establishing\nadministrator user accounts. We could not find authorization and approval documentation for\n31 (5 percent) of 607 user accounts for the 5 applications we reviewed. IRS managers informed\nus that paper authorization forms were never entered into the IRS computer system used to track\nuser accounts for all IRS applications and the paper forms have since been destroyed. Because\nno proof exists that these active user accounts were authorized, we have no assurance these\naccounts are legitimate, which increases the IRS\xe2\x80\x99 vulnerability to unauthorized access and\nfraudulent activities.\nSecond, the IRS had unnecessary administrator user accounts. Seventy-nine (13 percent) of\n607 active user accounts were not needed because the employees no longer had a business need\nto administer their respective computer systems. To address account review requirements, the\nIRS created automated computer programs (scripts) to identify user accounts with inactivity and\nto disable and remove those accounts meeting this criterion. Because managers and\nadministrators were relying on these scripts, they were not reviewing accounts or reports on\ninactivity to identify potential accounts that were no longer needed. However, we identified\nprogramming errors in the scripts that caused them to not properly identify all accounts with\ninactivity.\nThird, weak passwords on user accounts existed on all five applications we reviewed because\nsystemic password mechanisms did not adhere to required IRS password standards. The\napplications were running on an outdated operating system that would allow for the use of\npasswords that met standards but would not reject those passwords that did not meet standards.\nAs a result, managers and administrators may not be voluntarily complying with password\nstandards.\nFinally, audit trails1 are not being reviewed for four of the five applications we reviewed. While\nthe IRS was capturing every key stroke from administrator user accounts and sending the data\noffsite for backup purposes for three of the four applications, it was not conducting regular\nreviews of the audit trails. Capacity and performance problems have plagued the IRS\xe2\x80\x99\nimplementation of an audit trail solution for its Unix-based servers. As a result, the IRS allowed\n\n\n1\n An audit trail or audit log is a chronological sequence of audit records, each of which contains evidence directly\npertaining to and resulting from the execution of a business process or system function.\n                                                                                                                      2\n\x0c                  Effectiveness of Access Controls Over System Administrator\n                                User Accounts Can Be Improved\n\n\n\nthe user license to expire in September 2006, and the audit trail solution product is no longer\nbeing used.\nThe existence of active administrator user accounts with weak passwords for employees who no\nlonger have a business need poses an unnecessary risk for unauthorized disclosure of taxpayer\ndata and disruption of computer operations. Because of the trust relationship among computers\non the network, inadequate access controls over these user accounts could allow hackers and\ndisgruntled employees to have access to other computers on the network. In addition, when\naudit trails are not being reviewed, the IRS may not be detecting improper administrator\nactivities on computer system applications.\n\nRecommendations\nWe recommended the Chief Information Officer ensure managers identify system administrator\nuser accounts on all applications that do not have proper authorization documentation, assess\nwhether the accounts are still needed, and establish appropriate authorization documentation for\nthose accounts; test the automated computer programs (scripts) used to deactivate and/or delete\nadministrator user accounts with periods of inactivity; and reinforce the need for managers of\nsystem administrators to be cognizant of the applications their employees can access and limit\nthose access rights to only those applications needed to carry out their responsibilities. The\nChief Information Officer should also ensure the deployment of the host-based intrusion\ndetection software continues to ensure audit trail reviews over administrator user accounts on\nTier 2 Unix-based servers.\n\nResponse\nThe Chief Information Officer agreed with our recommendations. A process will be\nimplemented to review system administrator user accounts on all systems at least annually to\nensure only those system administrator user accounts with a continued business need exist on\nIRS systems, the feature of the operating systems will be implemented to identify and delete all\nsystem administrator user accounts with no activity for 45 days, and a notice will be sent to all\nmanagers of system administrators to reinforce the need to be aware of the applications their\nsystem administrators can access and to limit those access rights to only those applications\nneeded to carry out their responsibilities. In addition, Host-based Intrusion Detection Sensor\nagents will be deployed on Tier 2 Unix-based servers. Management\xe2\x80\x99s complete response to the\ndraft report is included as Appendix V.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n                                                                                                    3\n\x0c                        Effectiveness of Access Controls Over System Administrator\n                                      User Accounts Can Be Improved\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          System Administrator User Accounts Were Not Always\n          Authorized and Maintained Properly............................................................Page 3\n                    Recommendations 1 through 3:...........................................Page 7\n\n          Audit Trails Are Not Consistently Reviewed and Documented...................Page 8\n                    Recommendation 4:..........................................................Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 12\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 13\n          Appendix IV \xe2\x80\x93 Description of Internal Revenue Service\n          Applications Selected for Review.................................................................Page 14\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 15\n\x0c          Effectiveness of Access Controls Over System Administrator\n                        User Accounts Can Be Improved\n\n\n\n\n                        Abbreviations\n\nAIMS              Audit Information Management System\nALS               Automated Lien System\nASFR              Automated Substitute for Return System\nELS               Electronic Levy System\neTrust\xc2\xae           eTrust\xc2\xae Access Control and Audit\nExFIRS            Excise Files Information Retrieval System\nIRS               Internal Revenue Service\nOL5081            On-Line Form 5081\n\x0c                      Effectiveness of Access Controls Over System Administrator\n                                    User Accounts Can Be Improved\n\n\n\n\n                                            Background\n\nThe Internal Revenue Service (IRS) has over 260 computer system applications to process tax\nrecords for 130 million taxpayers and to support and assist its employees in administering the\nnation\xe2\x80\x99s tax system. The data in these systems are considered sensitive and require protection\nfrom unauthorized use, modification, disclosure, and destruction. The importance of protecting\nthese data was illustrated with passage of the Taxpayer Browsing Protection Act of 1997.1 This\nAct makes the willful unauthorized access and inspection of taxpayer records a crime; it applies\nto IRS employees to ensure they do not abuse their authority on accessing taxpayer records.\nTo ensure computer systems are operating as intended and are secure, the IRS has designated\nsystem administrators (also referred to as administrators) as the employees responsible for\nmaintaining computer systems. Maintenance duties\ninclude monitoring system performance, responding         System administrators are normally\nto system outages or problems, adjusting settings and      granted full control over computer\nconfigurations for security and operational purposes,      systems, in effect providing them\ninstalling system and security patches, and installing     unrestricted  access and authority\n                                                                   over the systems.\nperipheral devices. To properly carry out these\nduties, administrators must be given total control\nover computer systems, in effect providing them\nunrestricted access and authority over the systems. Due to the sensitive nature of having such\ncapabilities, the IRS must have proper controls in place to ensure only appropriate employees\nhave administrator rights and privileges and these employees do not abuse their authority.\nWe evaluated the IRS\xe2\x80\x99 controls over administrator accounts on the following five computer\napplications (systems) we judgmentally selected for our review. Appendix IV provides a\ndescription of these systems.\n      \xe2\x80\xa2    Audit Information Management System (AIMS).\n      \xe2\x80\xa2    Automated Lien System (ALS).\n      \xe2\x80\xa2    Automated Substitute for Return (ASFR) System.\n      \xe2\x80\xa2    Electronic Levy System (ELS).\n      \xe2\x80\xa2    Excise Files Information Retrieval System (ExFIRS).\nThis review was performed in the Modernization and Information Technology Services\norganization and the former Mission Assurance and Security Services organization in\n\n\n\n\n1\n    26 U.S.C.A. Sections 7213, 7213A, 7431 (West Supp. 2003).\n                                                                                          Page 1\n\x0c                    Effectiveness of Access Controls Over System Administrator\n                                  User Accounts Can Be Improved\n\n\n\nNew Carrollton, Maryland, and the Enterprise Computing Centers2 in Detroit, Michigan, and\nMemphis, Tennessee, during the period January 2007 through May 2007. The audit was\nconducted in accordance with Government Auditing Standards. Detailed information on our\naudit objective, scope, and methodology is presented in Appendix I. Major contributors to the\nreport are listed in Appendix II.\n\n\n\n\n2\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n                                                                                                      Page 2\n\x0c                    Effectiveness of Access Controls Over System Administrator\n                                  User Accounts Can Be Improved\n\n\n\n\n                                     Results of Review\n\nSystem Administrator User Accounts Were Not Always Authorized\nand Maintained Properly\nThe IRS has established appropriate procedures for authorizing and maintaining administrator\nuser accounts. The process to establish a user account starts when an employee completes an\nInformation System User Registration/Change Request [On-Line Form 5081(OL5081)]3 to gain\nadministrator access to a particular computer system or application. When the request contains\nall necessary information, the OL5081 system sends an email message to the employee\xe2\x80\x99s\nmanager, who will need to access the OL5081 system to approve the request. Once the request\nhas been approved, the OL5081 system generates an email to an existing administrator over the\nparticular computer system or application and this designated administrator will create a new\nuser account for the employee. The employee is then notified that his or her user account is\nactive and ready for access. Annually, the OL5081 system sends an email to both the manager\nand employee to recertify that the administrator\xe2\x80\x99s system accesses are still appropriate and\nnecessary. To delete an employee who no longer has a need to access a system, the manager\ninitiates the user account removal process on the OL5081 system. An email is then sent to\nanother administrator to remove the user account.\nAlthough the OL5081 system automates the process for creating, maintaining, and deleting user\naccounts, certain actions continue to require human initiation and intervention. For example,\nmanagers must ensure employees need access to a system before granting access and promptly\nnotify the administrators to remove employees from the system when access is no longer\nnecessary. Managers are also required to annually review the appropriateness of their\nemployees\xe2\x80\x99 access privileges. In addition, designated administrators are responsible for adding\nand removing system user accounts, including other administrator user accounts, when\nauthorized; maintaining an up-to-date list of authorized users; and annually generating a list of\ncurrent system users and their access profiles to provide to the appropriate managers for review.\nManagers and system administrators did not adhere to system review procedures. As a result,\nour review of the five applications determined:\n\n\n\n\n3\n  The IRS uses the Information System User Registration/Change Request (Form 5081) to request and authorize user\naccounts for all systems. The OL5081 is an automated version of this Form. The OL5081 system was named after\nthe Form 5081; it automates some of the manual processes and provides a centralized system for all system access\nauthorizations.\n                                                                                                        Page 3\n\x0c                  Effectiveness of Access Controls Over System Administrator\n                                User Accounts Can Be Improved\n\n\n\n   \xe2\x80\xa2   Documentation for authorizations of user accounts could not be located.\n   \xe2\x80\xa2   Active user accounts existed for employees who no longer had a business need.\n   \xe2\x80\xa2   Password complexity did not meet IRS standards.\n\nDocumentation for authorization of system administrator user accounts could not\nbe located\nGenerally, the IRS is approving and maintaining proper documentation for establishing user\naccounts. However, we could not find authorization and approval documentation for\n31 (5 percent) of 607 user accounts for the 5 applications reviewed. IRS managers informed us\nthat paper Forms 5081 for those user accounts were never converted to the OL5081 system when\nit was first established and the paper Forms 5081 have since been destroyed. Because no proof\nexists that these active user accounts were authorized, we have no assurance these accounts are\nlegitimate, which increases the IRS\xe2\x80\x99 vulnerability to unauthorized access and fraudulent\nactivities. While 5 percent may seem low and acceptable, the capabilities of these user accounts\nmagnify the risk because they have unlimited control over computers.\nWe followed up with administrator managers to determine whether these user accounts were still\nneeded; the managers took action to establish OL5081 records for 15 of the 31 user accounts and\ndeleted the remaining 16 user accounts because they were no longer needed. Because of the lack\nof readily available authorization documentation, we could not determine whether these 16 user\naccounts were ever truly authorized. We did determine that none of the 16 user accounts were\never accessed.\n\nActive system administrator user accounts existed for employees who no longer\nhad a business need\nIn the 5 applications we reviewed, 79 (13 percent) of 607 active user accounts were not needed\nbecause the administrators no longer had a business need to administer their respective computer\nsystems, according to their managers. These 79 user accounts included the aforementioned\n16 user accounts for which we were unable to locate authorization documentation.\nIn addition, for 72 of the 79 user accounts, the administrators either never logged onto the system\nor had not logged onto the system in the past 90 calendar days. Figure 1 presents these numbers\nby the systems reviewed.\n\n\n\n\n                                                                                            Page 4\n\x0c                         Effectiveness of Access Controls Over System Administrator\n                                       User Accounts Can Be Improved\n\n\n\n    Figure 1: Active System Administrator User Accounts Without a Business Need\n      System    Number       Number of User      Number of User          Number of User           Number of User\n      Name      of Total        Accounts        Accounts Identified    Accounts Identified      Accounts Identified\n                  User       Identified With    With No Business       With No Business          With No Business\n                Accounts      No Business        Need and Never       Need and Not Logged       Need and Logged On\n                                  Need             Logged On              On in the Past            in the Past\n                                                                        90 Calendar Days         90 Calendar Days\n     AIMS          137              0                   0                       0                         0\n     ALS            89              2                   0                       2                         0\n     ASFR           99              4                   0                       4                         0\n     ELS            92              7                   0                       5                         2\n     ExFIRS        190             66                   29                      32                        5\n     Totals        607             79                   29                     43                         7\n    Source: Treasury Inspector General for Tax Administration analysis.\n\nFurther analysis revealed 6 of the 79 user accounts belonged to IRS contractors who no longer\nwork for the IRS. The contractors were first granted system access in November 2003, but\nsystem records show the contractors had never logged onto the system. The user accounts\nremained active and with the initial password assigned when the accounts were first established.\nThe IRS requires a user account (1) to be disabled if the user has not used the system in the past\n45 calendar days and (2) to be removed if the user has not used the system in the past\n90 calendar days. To address these requirements, the IRS created automated computer programs\n(scripts) to identify user accounts with inactivity and to disable and remove those accounts\nmeeting these criteria. Because managers and administrators were relying on these scripts, they\nwere not reviewing accounts or reports on inactivity to identify potential accounts that were no\nlonger needed. However, we identified programming errors in the scripts that caused them to not\nproperly identify those user accounts for which the administrator had never logged onto the\naccount and for which linked user accounts4 existed. As a result, inactive user accounts were\nnot being identified and removed. Had the scripts worked properly, they would have identified\n72 (91 percent) of the 79 user accounts as no longer being needed and properly disabled and\nremoved them.\nAlso, administrator managers may be unaware of whether their employees continue to have a\nbusiness need for system access as part of the OL5081 annual recertification process. As stated\nabove, employees\xe2\x80\x99 managers are required to review the appropriateness of their employees\xe2\x80\x99\naccess privileges and to annually recertify, along with the employee, on the OL5081 system. For\nthe user accounts reviewed, we contacted the employees\xe2\x80\x99 managers of record listed on the\nOL5081 system to confirm whether the employees continued to need access to the systems.\n\n4\n  These are switch-user accounts that allow system administrators to log on as a normal user and then switch user\nrights, when necessary, giving them root status access and full system administrative control over the system.\n                                                                                                              Page 5\n\x0c                 Effectiveness of Access Controls Over System Administrator\n                               User Accounts Can Be Improved\n\n\n\nThese managers of record could not make that determination and deferred to the managers of the\nsystems being reviewed. This situation illustrates the confusion over who may be in the best\nposition to serve as the certifying official.\nThe existence of active user accounts with system administrative rights for employees who no\nlonger have a business need poses an unnecessary risk for unauthorized access and disclosure of\ntaxpayer data. These types of accounts could allow hackers and disgruntled employees to have\nunabated access to the computer and its data. Because computer systems within a network have\na trust relationship among other computers on the network, the risk extends to other computer\nsystems as well. We attempted to use system records to determine whether any of the 79 user\naccounts had been potentially misused. However, the records were not maintained in a format\nthat could be used to identify improper activity.\n\nPassword complexity did not meet standards\nWeak passwords existed on system administrator user accounts on all five applications we\nreviewed. On one application, the passwords were not restricted to an eight-character minimum.\nAll five applications did not enforce the following password requirements:\n   \xe2\x80\xa2   Passwords must contain alpha and numeric characters and be case sensitive.\n   \xe2\x80\xa2   Password history must capture the last 24 passwords used to prevent reuse.\n   \xe2\x80\xa2   Passwords for user accounts must change at least every 60 calendar days.\nThe applications were running on an outdated operating system that would allow for the use of\npasswords that met standards but would not reject those passwords that did not meet standards.\nAs a result, managers and administrators may not be voluntarily complying with password\nstandards. This systemic weakness could allow a simple password such as \xe2\x80\x9cpassword\xe2\x80\x9d to be\nused. Due to the sensitivity of passwords, we did not attempt to reveal or obtain the actual\npasswords used by the administrators.\nLocal management informed us that the IRS is in the process of upgrading its servers, which will\nbe capable of enforcing the password requirements. We confirmed that one of the applications\nwe reviewed was upgraded, as of June 2007, and all password requirements were being enforced.\nHowever, we did not receive a definitive timetable for upgrading the rest of the applications.\nBecause the IRS is taking the necessary actions to address this security weakness, we made no\nformal recommendations specific to this issue. However, we encourage administrator managers\nto emphasize the password standards and to stress the potential vulnerabilities of using weak\npasswords until servers have been upgraded to allow IRS password standards to be enforced.\nWeak passwords over administrator user accounts leave the IRS vulnerable to hacker attacks.\nDisgruntled employees can employ password-hacking techniques to take over user accounts that,\nif successful, would give them complete access to the computer system and its resources, such as\ntaxpayer data and password files. This scenario could lead to potential disclosure of taxpayer\ndata.\n\n                                                                                         Page 6\n\x0c                  Effectiveness of Access Controls Over System Administrator\n                                User Accounts Can Be Improved\n\n\n\nRecommendations\nTo improve access controls over system administrator user accounts, we recommend the Chief\nInformation Officer ensure managers:\nRecommendation 1: Identify and reconcile system administrator user accounts on all\nsystems to the OL5081 system. For those accounts not on the OL5081 system, the system owner\nand the system administrator\xe2\x80\x99s manager should determine whether the employee continues to\nhave a business need for access. If he or she no longer has a business need, the user account\nshould be deleted. If he or she continues to have a business need, the manager should initiate the\nprocess of creating an OL5081 record for the user account.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with the\n       recommendation and will implement a process to review and compare system\n       administrator user accounts on all systems to the OL5081 system at least annually. This\n       process will ensure system administrator user accounts with a continued business need\n       exist on IRS systems.\nRecommendation 2: Test the automated computer programs (scripts) used to identify and\ndisable system administrator user accounts with 45 calendar days of inactivity, delete\nadministrator user accounts with 90 calendar days of inactivity, and periodically validate the\nresults to ensure the programs are working as intended.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation and will implement the feature of the operating systems to identify and\n       delete system administrator user accounts with 45 days of inactivity. An additional script\n       will be added on all Unix systems to ensure system administrator user accounts will be\n       removed after 90 days of inactivity. Quarterly, a review of systems will be completed to\n       ensure these automated processes are working as intended.\nRecommendation 3: Reinforce the need for system administrator managers to be cognizant\nof the applications their employees can access and limit those access rights to only those\napplications needed to carry out their responsibilities. Managers should consider long periods of\ninactivity when determining whether to recertify access rights on the OL5081 system.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation and will issue to all managers of system administrators a notice to\n       reinforce the need to be aware of the applications their system administrators can access\n       and to limit those access rights to only those applications needed to carry out their\n       responsibilities. The notice will also remind managers that long periods of inactivity\n       should be considered in determining access needs when recertifying on the OL5081\n       system.\n\n\n\n                                                                                           Page 7\n\x0c                     Effectiveness of Access Controls Over System Administrator\n                                   User Accounts Can Be Improved\n\n\n\nAudit Trails Are Not Consistently Reviewed and Documented\nAudit trails5 are not being reviewed for four of the five applications. All four applications are\nrunning on Tier 2 Unix-based servers using an audit software product called eTrust\xc2\xae Access\nControl and Audit (eTrust\xc2\xae). For one of the four applications, the IRS is not capturing or\nreviewing any audit trail information. For the other three applications, the IRS is capturing every\nkey stroke and sending it offsite for backup. However, the IRS is not generating audit trail\nreports and conducting regular reviews of the audit trails. A security specialist stated that audit\ntrail analysis may occur if a specific request is made, although these requests are infrequent.\nSuch analysis is difficult and would involve manually scrolling through the audit trail files and\ntrying to identify specific activity. If any questionable activity is identified, the security\nspecialist would report it to the Computer Security Incident Response Center.\nWe requested audit trail information for the 79 administrator user accounts that were no longer\nneeded, to determine whether questionable activities might have occurred for those accounts.\nWhile the security specialists over the systems reviewed had initially agreed to provide us with\nthe information, they later informed us that the process to access the information from the\nbackup system and to convert the raw data into a useable format was very time consuming,\nrequired too much computer processing resources, and would take personnel from their normal\nduties to complete the task. Because of these limitations, we question the practical ability to\ncreate reviewable audit trail information when needed.\nDepartment of the Treasury procedures require that audit trails be sufficient in detail to facilitate\nthe reconstruction of events if unauthorized activity or a malfunction occurs or is suspected.\nThese procedures also state that designated personnel must review audit trails at least weekly for\nsystems that contain sensitive information. IRS procedures require that, at a minimum, audit\ntrails include sufficient information to establish what events occurred, when the events occurred,\nand who (or what) caused them.\nDue to the capacity and performance problems that have plagued the IRS\xe2\x80\x99 implementation of\neTrust\xc2\xae for auditing of its Unix-based servers, the IRS has had to replace the product. At one\ntime, the eTrust\xc2\xae solution was used to provide audit trail analysis but never fully delivered in its\nreports or analysis. For example, there were problems with the eTrust\xc2\xae reports. Some were\nsimple formatting and sorting errors, but others were more significant, such as incorrect event\nstatus and reporting of erroneous events that were not requested. Also, eTrust\xc2\xae could collect\naudit logs only in text and not in the binary format necessary to run specific audit modules.\nBecause of these problems, the IRS allowed the user license for eTrust\xc2\xae to expire in September\n2006, and the product is no longer being used. A discussion with the Director, Information\nTechnology Security, determined that, in late May 2007, the IRS planned to begin an enterprise\n\n\n5\n An audit trail or audit log is a chronological sequence of audit records, each of which contains evidence directly\npertaining to and resulting from the execution of a business process or system function.\n                                                                                                              Page 8\n\x0c                  Effectiveness of Access Controls Over System Administrator\n                                User Accounts Can Be Improved\n\n\n\ndeployment of host-based intrusion detection software to monitor alerts and log files on servers\nfor suspicious activities and to report in near real-time to the Computer Security Incident\nResponse Center and Information Technology Security Field Specialists.\nEven the best controls designed to prevent improper computer activity can be circumvented with\nthe proper expertise. Disgruntled administrators and contractors who already have administrator\naccess rights to a system may attempt to circumvent IRS controls to gain access to sensitive\ninformation or to vandalize computer data and processing. To help minimize these risks, routine\ngeneration and review of audit trails can assist in detecting improper activities.\n\nRecommendation\nRecommendation 4: The Chief Information Officer should ensure the deployment of the\nhost-based intrusion detection software continues to ensure audit trail reviews over system\nadministrator user accounts on Tier 2 Unix-based servers.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation and will deploy the Host-based Intrusion Detection Sensor agents on\n       Tier 2 Unix-based servers. In addition, the Cybersecurity organization, specifically\n       Information Technology Security function field specialists, will be responsible for\n       monitoring and reviewing event logs and alerting the Computer Security Incident\n       Response Center of unusual or suspicious activity.\n\n\n\n\n                                                                                           Page 9\n\x0c                    Effectiveness of Access Controls Over System Administrator\n                                  User Accounts Can Be Improved\n\n\n\n                                                                                              Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine the effectiveness of access controls over\nsystem administrator user accounts on IRS computers. To accomplish our objective, we:\nI.      Determined whether system administrator user accounts had been properly approved by\n        reviewing the OL5081 system1 for all 607 administrator user accounts on 5 selected\n        applications (systems).2 From a population of 59 major applications, we judgmentally\n        selected the 5 applications based on the risk of the application and prior Treasury\n        Inspector General for Tax Administration audit coverage. Specifically, we:\n        A. Identified any other method (besides the OL5081 system) used for authorizing and\n           approving the creation of administrator user accounts on systems.\n        B. Compared each user on each application\xe2\x80\x99s list of administrators to the OL5081\n           system records. For any accounts not on the OL5081 system, we determined whether\n           paper records existed.\n        C. Reviewed Forms 5081 for proper approvals.\n        D. Where appropriate, consulted with administrators and managers to determine why no\n           Form 5081 existed, why the Form 5081 did not contain proper approval, how long the\n           administrator had access to the computer system without authorization, and whether\n           any of these conditions could have been resolved by the proposals from the OL5081\n           system projects that are currently in process.\nII.     Determined whether unnecessary system administrator user accounts, such as accounts\n        for nonadministrators or separated administrators, exist. Specifically, we:\n        A. Compared all administrator user accounts to the IRS timekeeping system listing\n           employee series, function, and status.\n        B. Identified potential nonadministrators and separated employees by comparing\n           administrator lists to the timekeeping system, presenting and confirming the lists with\n           local management, and, if applicable, identifying why administrator user accounts\n           that were no longer needed had not been disabled or closed.\n\n1\n  The IRS uses the Information System User Registration/Change Request (Form 5081) to request and authorize user\naccounts for all systems. The OL5081 is an automated version of this Form. The OL5081 system was named after\nthe Form 5081; it automates some of the manual processes and provides a centralized system for all system access\nauthorizations.\n2\n  Appendix IV provides a description of these systems.\n                                                                                                       Page 10\n\x0c                 Effectiveness of Access Controls Over System Administrator\n                               User Accounts Can Be Improved\n\n\n\n       C. Identified any administrator user account(s) that had not been used for 60 calendar\n          days and consulted with local management to determine whether there was any\n          justification for the account(s).\n       D. Determined whether administrator user accounts were regularly reviewed\n          independently to identify inactive accounts and accounts no longer needed.\nIII.   Determined whether shared, generic, duplicate, or default accounts existed. Specifically,\n       we reviewed system administrator user accounts for each application to identify accounts\n       with possible shared, generic, duplicate, or default user account names and consulted\n       with the administrators to determine why these types of accounts existed on the systems\n       and whether reasonable justification existed for the accounts.\nIV.    Determined whether applications contained strong password controls on system\n       administrator user accounts. Specifically, we reviewed password settings files to\n       determine whether settings were in compliance with IRS password policies and, if they\n       were not, consulted with the administrators and managers to determine why the password\n       controls had not been updated to reflect basic requirements.\nV.     Determined whether system administrator activities were regularly reviewed\n       independently for suspicious activities, computer configuration changes, and other\n       potential security issues. We consulted with the independent reviewer to determine\n       whether issues had been identified in the past, what the process was for handling those\n       issues, and what the cause was of each issue.\nVI.    Determined the causes for any conditions identified.\n\n\n\n\n                                                                                         Page 11\n\x0c                 Effectiveness of Access Controls Over System Administrator\n                               User Accounts Can Be Improved\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nKent Sagara, Audit Manager\nLouis Lee, Lead Auditor\nBret Hunter, Senior Auditor\nJody Kitazono, Senior Auditor\nAbraham Millado, Senior Auditor\n\n\n\n\n                                                                                     Page 12\n\x0c                Effectiveness of Access Controls Over System Administrator\n                              User Accounts Can Be Improved\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Chief Information Officer OS:CIO\n\n\n\n\n                                                                       Page 13\n\x0c                  Effectiveness of Access Controls Over System Administrator\n                                User Accounts Can Be Improved\n\n\n\n                                                                                   Appendix IV\n\n            Description of Internal Revenue Service\n               Applications Selected for Review\n\nWe selected the following five IRS applications for our review of system administrator user\naccounts:\nAIMS \xe2\x80\x93 This System provides the inventory of and activity controls over active Examination\nDivision cases for input on status changes, adjustments, and case-closing actions.\nALS \xe2\x80\x93 This System supports revenue officers in field offices by tracking lien assignments and\nlien due dates. It provides the abilities to print lien documents and to support management\ninformation reporting on liens, generates Notices of Federal Tax Liens and Releases of Liens,\nand maintains a database of all outstanding items.\nASFR \xe2\x80\x93 This System supports the automated selection of investigations on those taxpayers who\nhave substantial reported income and yet refuse or neglect to file tax returns for a given year. It\ntracks all cases, issues required notices and results, and prepares a tax calculation summary that\nis mailed to the taxpayer.\nELS \xe2\x80\x93 This System enables tax examiners and clerks to review levies prior to printing and\nrequires only levies with errors or those flagged from the Levy Review Register to be reviewed.\nThe ELS eliminates time and paper costs associated with a manual review and the retyping of\nerroneous levies. The System also provides management with a variety of reports for volume,\nerror, and trend analyses.\nExFIRS \xe2\x80\x93 This System provides management information and support processes to assess the\nhealth and direction of the Excise Tax Program. Multiple applications support Excise Tax\nProgram business processes and internal/external stakeholder activities. There are approximately\n550 IRS end users of the applications, in addition to State Excise Tax Agencies and the motor\nfuel industry.\n\n\n\n\n                                                                                            Page 14\n\x0c    Effectiveness of Access Controls Over System Administrator\n                  User Accounts Can Be Improved\n\n\n\n                                                    Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 15\n\x0cEffectiveness of Access Controls Over System Administrator\n              User Accounts Can Be Improved\n\n\n\n\n                                                      Page 16\n\x0cEffectiveness of Access Controls Over System Administrator\n              User Accounts Can Be Improved\n\n\n\n\n                                                      Page 17\n\x0cEffectiveness of Access Controls Over System Administrator\n              User Accounts Can Be Improved\n\n\n\n\n                                                      Page 18\n\x0c'